Data Breach Bill 2014 - Leahy S. 1897

II
113TH CONGRESS 2D SESSION
S. 1897
To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
IN THE SENATE OF THE UNITED STATES

JANUARY 8, 2014 Mr. LEAHY (for himself, Mr. SCHUMER, Mr. FRANKEN, and Mr. BLUMENTHAL) introduced the following bill; which was read twice and referred to the Committee on the Judiciary
A BILL
To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information. 1 Be it enacted by the Senate and House of Representa-
2 tives of the United States of America in Congress assembled, 3 4

tkelley on DSK3SPTVN1PROD with BILLS
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE.This Act may be cited as the
5 Personal Data Privacy and Security Act of 2014. 6 (b) TABLE

OF
CONTENTS.The table of contents of
7 this Act is as follows:

VerDate Mar 15 2010 23:00 Jan 08, 2014 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S1897.IS S1897
2
Sec. 1. Short title; table of contents. Sec. 2. Findings. Sec. 3. Definitions. TITLE IENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY Sec. 101. Organized criminal activity in connection with unauthorized access to personally identifiable information. Sec. 102. Concealment of security breaches involving sensitive personally identifiable information. Sec. 103. Penalties for fraud and related activity in connection with computers. Sec. 104. Trafficking in passwords. Sec. 105. Conspiracy and attempted computer fraud offenses. Sec. 106. Criminal and civil forfeiture for fraud and related activity in connection with computers. Sec. 107. Limitation on civil actions involving unauthorized use. Sec. 108. Reporting of certain criminal cases. Sec. 109. Damage to critical infrastructure computers. Sec. 110. Limitation on actions involving unauthorized use. TITLE IIPRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION Subtitle AA Data Privacy and Security Program Sec. Sec. Sec. Sec. 201. 202. 203. 204. Purpose and applicability of data privacy and security program. Requirements for a personal data privacy and security program. Enforcement. Relation to other laws. Subtitle BSecurity Breach Notification Sec. Sec. Sec. Sec. Sec. Sec. Sec. Sec. Sec. Sec. Sec. 211. 212. 213. 214. 215. 216. 217. 218. 219. 220. 221. Notice to individuals. Exemptions. Methods of notice. Content of notification. Coordination of notification with credit reporting agencies. Notice to law enforcement. Enforcement. Enforcement by State attorneys general. Effect on Federal and State law. Reporting on exemptions. Effective date.
TITLE IIICOMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT Sec. 301. Budget compliance.
1 2
SEC. 2. FINDINGS.
Congress finds that (1) databases of personally identifiable information are increasingly prime targets of hackers, idenS 1897 IS
3 4
VerDate Mar 15 2010
23:00 Jan 08, 2014
Jkt 039200
PO 00000
Frm 00002
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
tity thieves, rogue employees, and other criminals, including organized and sophisticated criminal operations; (2) identity theft is a serious threat to the Nations economic stability, national security, homeland security, cybersecurity, the development of e-commerce, and the privacy rights of Americans; (3) security breaches are a serious threat to consumer confidence, homeland security, national security, e-commerce, and economic stability; (4) it is important for business entities that own, use, or license personally identifiable information to adopt reasonable procedures to ensure the security, privacy, and confidentiality of that personally identifiable information; (5) individuals whose personal information has been compromised or who have been victims of identity theft should receive the necessary information and assistance to mitigate their damages and to restore the integrity of their personal information and identities; (6) data misuse and use of inaccurate data have the potential to cause serious or irreparable harm to an individuals livelihood, privacy, and liberty and
24
S 1897 IS
4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
undermine efficient and effective business and government operations; (7) government access to commercial data can potentially improve safety, law enforcement, and national security; and (8) because government use of commercial data containing personal information potentially affects individual privacy, and law enforcement and national security operations, there is a need for Congress to exercise oversight over government use of commercial data.
SEC. 3. DEFINITIONS.
In this Act, the following definitions shall apply: (1) AFFILIATE.The term affiliate means persons related by common ownership or by corporate control. (2) AGENCY.The term agency has the same meaning given such term in section 551 of title 5, United States Code. (3) BUSINESS
ENTITY.The
term business
entity means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture established to make a profit, or nonprofit.
24
S 1897 IS
5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(4) DATA
TION.The
SYSTEM COMMUNICATION INFORMA-
term data system communication in-
formation means dialing, routing, addressing, or signaling information that identifies the origin, direction, destination, processing, transmission, or termination of each communication initiated, attempted, or received. (5) DESIGNATED
ENTITY.The
term des-
ignated entity means the Federal Government entity designated by the Secretary of Homeland Security under section 216(a). (6) ENCRYPTION.The term encryption (A) means the protection of data in electronic form, in storage or in transit, using an encryption technology that has been generally accepted by experts in the field of information security that renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and (B) includes appropriate management and safeguards of such cryptographic keys so as to protect the integrity of the encryption.
S 1897 IS
6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(7) IDENTITY
THEFT.The
term identity
theft means a violation of section 1028(a)(7) of title 18, United States Code. (8) PERSONALLY
IDENTIFIABLE INFORMA-
TION.The
term personally identifiable informa-
tion means any information, or compilation of information, in electronic or digital form that is a means of identification, as defined by section 1028(d)(7) of title 18, United States Code. (9) PUBLIC
RECORD SOURCE.The
term pub-
lic record source means the Congress, any agency, any State or local government agency, the government of the District of Columbia and governments of the territories or possessions of the United States, and Federal, State or local courts, courts martial and military commissions, that maintain personally identifiable information in records available to the public. (10) SECURITY (A) IN
BREACH.
GENERAL.The
term security
breach means compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that result in, or that there is a reasonable basis to conclude has resulted in
24
S 1897 IS
7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(i) the unauthorized acquisition of sensitive personally identifiable information; and (ii) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization. (B) EXCLUSION.The term security
breach does not include (i) a good faith acquisition of sensitive personally identifiable information by a business entity or agency, or an employee or agent of a business entity or agency, if the sensitive personally identifiable information is not subject to further unauthorized disclosure; (ii) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements or the release of information obtained from a public record, including information obtained from a news report or periodical; or (iii) any lawfully authorized investigative, protective, or intelligence activity of a law enforcement or intelligence agency of
24 25
S 1897 IS
VerDate Mar 15 2010 23:00 Jan 08, 2014 Jkt 039200 PO 00000
Frm 00007
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
the United States, a State, or a political subdivision of a State. (11) SENSITIVE

FORMATION.The PERSONALLY IDENTIFIABLE IN-
term sensitive personally identi-
fiable information means any information or compilation of information, in electronic or digital form that includes the following: (A) An individuals first and last name or first initial and last name in combination with any two of the following data elements: (i) Home address or telephone number. (ii) Mothers maiden name. (iii) Month, day, and year of birth. (B) A non-truncated social security number, drivers license number, passport number, or alien registration number or other government-issued unique identification number. (C) Unique biometric data such as a fingerprint, voice print, a retina or iris image, or any other unique physical representation. (D) A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code.
24 25
S 1897 IS
9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(E) Any combination of the following data elements: (i) An individuals first and last name or first initial and last name. (ii) A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code. (iii) Any security code, access code, or password, or source code that could be used to generate such codes or passwords. (12) SERVICE
PROVIDER.The
term service
provider means a business entity that provides electronic data transmission, routing, intermediate and transient storage, or connections to its system or network, where the business entity providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and the business entity transmits, routes, stores, or provides connections for personal information in a manner that personal information is undifferentiated from other types of data that such business entity transmits, routes, stores, or provides connections. Any such business entity
24 25
S 1897 IS
10 1 2 3 4 5 6 7 8 9 10 11 12 13 shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage or connections.
TITLE IENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY
SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.
Section 1961(1) of title 18, United States Code, is
14 amended by inserting section 1030 (relating to fraud and 15 related activity in connection with computers) if the act 16 is a felony, before section 1084. 17 18 19 20
SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.
(a) IN GENERAL.Chapter 47 of title 18, United
21 States Code, is amended by adding at the end the fol22 lowing:
S 1897 IS
11 1 1041. Concealment of security breaches involving 2 3 4

sensitive personally identifiable information
(a) IN GENERAL.Whoever, having knowledge of a
5 security breach and of the fact that notice of such security 6 breach is required under title II of the Personal Data Pri7 vacy and Security Act of 2014, intentionally and willfully 8 conceals the fact of such security breach, shall, in the 9 event that such security breach results in economic harm 10 to any individual in the amount of $1,000 or more, be 11 fined under this tile or imprisoned for not more than 5 12 years, or both. 13 (b) PERSON DEFINED.For purposes of subsection
14 (a), the term person has the meaning given the term in 15 section 1030(e)(12). 16 (c) NOTICE REQUIREMENT.Any person seeking
17 an exemption under section 212(b) of the Personal Data 18 Privacy and Security Act of 2014 shall be immune from 19 prosecution under this section if the Federal Trade Com20 mission does not indicate, in writing, that such notice be 21 given under section 212(b)(3) of such Act.. 22 (b) CONFORMING
AND
TECHNICAL AMENDMENTS.
23 The table of sections for chapter 47 of title 18, United

24 States Code, is amended by adding at the end the fol25 lowing:
S 1897 IS
12
1041. Concealment of security breaches involving sensitive personally identifiable information..
1 2 3 4 5 6 7 8 9 10 11 12
(c) ENFORCEMENT AUTHORITY. (1) IN

GENERAL.The
United States Secret
Service and Federal Bureau of Investigation shall have the authority to investigate offenses under section 1041 of title 18, United States Code, as added by subsection (a). (2) NONEXCLUSIVITY.The authority granted in paragraph (1) shall not be exclusive of any existing authority held by any other Federal agency.
SEC. 103. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is
13 amended to read as follows: 14 (c) The punishment for an offense under subsection
15 (a) or (b) of this section is 16 17 18 19 20 21 22

(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; (2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or
S 1897 IS
13 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under paragraph (a)(2) of this section, if (i) the offense was committed for purposes of commercial advantage or private financial gain; (ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or (iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; (3) a fine under this title or imprisonment for not more than 1 year, or both, in the case of an offense under subsection (a)(3) of this section; (4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; (5)(A) except as provided in subparagraph (D), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused
24
S 1897 IS
14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding
brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; (v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or (vi) damage affecting 10 or more protected computers during any 1-year period; (B) a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clauses (i) through (vi) of subparagraph (A) of this subsection;
24 25
S 1897 IS
15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 (C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or (D) a fine under this title, imprisonment for not more than 1 year, or both, for any other offense under subsection (a)(5); (6) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or (7) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section..
SEC. 104. TRAFFICKING IN PASSWORDS.
Section 1030(a) of title 18, United States Code, is
17 amended by striking paragraph (6) and inserting the fol18 lowing: 19 20 21 22 23

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in (A) any password or similar information through which a protected computer as defined in subparagraphs (A) and (B) of subsection (e)(2) may be accessed without authorization; or
24 25
S 1897 IS
16 1 2 3 4 5 6 7
SEC.
(B) any means of access through which a protected computer as defined in subsection (e)(2)(A) may be accessed without authorization..
105. CONSPIRACY AND ATTEMPTED COMPUTER
FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is
8 amended by inserting for the completed offense after 9 punished as provided. 10 11 12 13

SEC. 106. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is
14 amended by striking subsections (i) and (j) and inserting 15 the following: 16 17 18 19 20 21 22 23
(i) CRIMINAL FORFEITURE. (1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States (A) such persons interest in any property, real or personal, that was used, or in-
24
S 1897 IS
17 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
tended to be used, to commit or facilitate the commission of such violation; and (B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. (2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. (j) CIVIL FORFEITURE. (1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: (A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. (B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property
24 25
S 1897 IS
18 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. (2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General..
SEC. 107. LIMITATION ON CIVIL ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(g) of title 18, United States Code, is
16 amended 17 18 19 20 and (2) by adding at the end the following: (2) No action may be brought under this subsection (1) by inserting (1) before Any person;
21 if a violation of a contractual obligation or agreement, 22 such as an acceptable use policy or terms of service agree23 ment, constitutes the sole basis for determining that actkelley on DSK3SPTVN1PROD with BILLS
24 cess to the protected computer is unauthorized, or in ex25 cess of authorization..

S 1897 IS
19 1 2
SEC. 108. REPORTING OF CERTAIN CRIMINAL CASES.
Section 1030 of title 18, United States Code, is
3 amended by adding at the end the following: 4 (k) REPORTING CERTAIN CRIMINAL CASES.Not
5 later than 1 year after the date of the enactment of this 6 Act, and annually thereafter, the Attorney General shall 7 report to the Committee on the Judiciary of the Senate 8 and the Committee on the Judiciary of the House of Rep9 resentatives the number of criminal cases brought under 10 subsection (a) that involve conduct in which 11 12 13 14 15 16 17 18 19 20 21 22 (1) the defendant (A) exceeded authorized access to a nongovernmental computer; or (B) accessed a non-governmental computer without authorization; and (2) the sole basis for the Government determining that access to the non-governmental computer was unauthorized, or in excess of authorization was that the defendant violated a contractual obligation or agreement with a service provider or employer, such as an acceptable use policy or terms of service agreement..
S 1897 IS
20 1 2 3
SEC. 109. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) IN GENERAL.Chapter 47 of title 18, United
4 States Code, is amended by inserting after section 1030 5 the following: 6 1030A. Aggravated damage to a critical infrastruc7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ture computer
(a) DEFINITIONS.In this section (1) the terms computer and damage have the meanings given such terms in section 1030; and (2) the term critical infrastructure computer means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including (A) gas and oil production, storage, and delivery systems; (B) water supply systems; (C) telecommunication networks; (D) electrical power delivery systems; (E) finance and banking systems; (F) emergency services; (G) transportation systems and services; and
24 25
S 1897 IS
21 1 2 3 (H) government operations that provide essential services to the public. (b) OFFENSE.It shall be unlawful to, during and
4 in relation to a felony violation of section 1030, inten5 tionally cause or attempt to cause damage to a critical 6 infrastructure computer, and such damage results in (or, 7 in the case of an attempt, would, if completed have re8 sulted in) the substantial impairment 9 10 11 12 13 (1) of the operation of the critical infrastructure computer; or (2) of the critical infrastructure associated with the computer. (c) PENALTY.Any person who violates subsection
14 (b) shall be fined under this title, imprisoned for not less 15 than 3 years nor more than 20 years, or both. 16 (d) CONSECUTIVE SENTENCE.Notwithstanding
17 any other provision of law 18 19 20 21 22 23

(1) a court shall not place on probation any person convicted of a violation of this section; (2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other pro-
24
S 1897 IS
22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 vision of law, including any term of imprisonment imposed for the felony violation section 1030; (3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and (4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.. (b) TECHNICAL
AND
CONFORMING AMENDMENT.
21 The table of sections for chapter 47 of title 18, United 22 States Code, is amended by inserting after the item relat23 ing to section 1030 the following:
1030A. Aggravated damage to a critical infrastructure computer..
S 1897 IS
23 1 2 3
SEC. 110. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code,
4 is amended by striking alter; and inserting alter, but 5 does not include access in violation of a contractual obliga6 tion or agreement, such as an acceptable use policy or 7 terms of service agreement, with an Internet service pro8 vider, Internet website, or non-government employer, if 9 such violation constitutes the sole basis for determining 10 that access to a protected computer is unauthorized;. 11 12 13 14 15 16 17 18
TITLE IIPRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION Subtitle AA Data Privacy and Security Program
SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY PROGRAM.
(a) PURPOSE.The purpose of this subtitle is to en-
19 sure standards for developing and implementing adminis20 trative, technical, and physical safeguards to protect the 21 security of sensitive personally identifiable information. 22 (b) APPLICABILITY.A business entity engaging in
23 interstate commerce that involves collecting, accessing,

24 transmitting, using, storing, or disposing of sensitive per25 sonally identifiable information in electronic or digital 26 form on 10,000 or more United States persons is subject
S 1897 IS
24 1 to the requirements for a data privacy and security pro2 gram under section 202 for protecting sensitive personally 3 identifiable information. 4 (c) LIMITATIONS.Notwithstanding any other obli-
5 gation under this subtitle, this subtitle does not apply to 6 the following: 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(1) FINANCIAL tutions
INSTITUTIONS.Financial
insti-
(A) subject to the data security requirements and standards under section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C.
6801(b)); and (B) subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)). (2) HIPAA
REGULATED ENTITIES. ENTITIES.Covered
(A) COVERED
entities
subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.), including the data security requirements and implementing regulations of that Act. (B) BUSINESS
ENTITIES.A
business enti-
ty shall be deemed in compliance with this Act if the business entity
24
S 1897 IS
25 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(i) is acting as a business associate, as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.) and is in compliance with the requirements imposed under that Act and implementing regulations promulgated under that Act; and (ii) is subject to, and currently in compliance, with the privacy and data security requirements under sections 13401 and 13404 of division A of the American Reinvestment and Recovery Act of 2009 (42 U.S.C. 17931 and 17934) and implementing regulations promulgated under such sections. (3) SERVICE
PROVIDERS.A
service provider
for any electronic communication by a third party, to the extent that the service provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication. (4) PUBLIC
RECORDS.Public
records not oth-
24 25
erwise subject to a confidentiality or nondisclosure requirement, or information obtained from a public
S 1897 IS
26 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
record, including information obtained from a news report or periodical. (d) SAFE HARBORS. (1) IN
GENERAL.A
business entity shall be
deemed in compliance with the privacy and security program requirements under section 202 if the business entity complies with or provides protection equal to industry standards or standards widely accepted as an effective industry practice, as identified by the Federal Trade Commission, that are applicable to the type of sensitive personally identifiable information involved in the ordinary course of business of such business entity. (2) LIMITATION.Nothing in this subsection shall be construed to permit, and nothing does permit, the Federal Trade Commission to issue regulations requiring, or according greater legal status to, the implementation of or application of a specific technology or technological specifications for meeting the requirements of this title.
SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY PROGRAM.
(a) PERSONAL DATA PRIVACY

GRAM.A
AND
SECURITY PRO-
24
business entity subject to this subtitle shall
25 comply with the following safeguards and any other adS 1897 IS
27 1 ministrative, technical, or physical safeguards identified by 2 the Federal Trade Commission in a rulemaking process 3 pursuant to section 553 of title 5, United States Code, 4 for the protection of sensitive personally identifiable infor5 mation: 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(1) SCOPE.A business entity shall implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities. (2) DESIGN.The personal data privacy and security program shall be designed to (A) ensure the privacy, security, and confidentiality of sensitive personally identifying information; (B) protect against any anticipated
vulnerabilities to the privacy, security, or integrity of sensitive personally identifying information; and (C) protect against unauthorized access to use of sensitive personally identifying information that could create a significant risk of harm or fraud to any individual.
24
S 1897 IS
28 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(3) RISK shall
ASSESSMENT.A
business entity
(A) identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information or systems containing sensitive personally identifiable information; (B) assess the likelihood of and potential damage from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; (C) assess the sufficiency of its policies, technologies, and safeguards in place to control and minimize risks from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; and (D) assess the vulnerability of sensitive personally identifiable information during destruction and disposal of such information, including through the disposal or retirement of hardware. (4) RISK
MANAGEMENT AND CONTROL.Each
24
business entity shall
S 1897 IS
29 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(A) design its personal data privacy and security program to control the risks identified under paragraph (3); (B) adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of the activities of the business entity that (i) control access to systems and facilities containing sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals; (ii) detect, record, and preserve information relevant to actual and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access; (iii) protect sensitive personally identifiable information storage, during and use, transby
mission,
disposal
encryption, redaction, or access controls that are widely accepted as an effective industry practice or industry standard, or
24 25
S 1897 IS
Frm 00029
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
30 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
other reasonable means (including as directed for disposal of records under section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w) and the implementing regulations of such Act as set forth in section 682 of title 16, Code of Federal Regulations); (iv) ensure that sensitive personally identifiable information is properly destroyed and disposed of, including during the destruction of computers, diskettes, and other electronic media that contain sensitive personally identifiable information; (v) trace access to records containing sensitive personally identifiable information so that the business entity can determine who accessed or acquired such sensitive personally identifiable information pertaining to specific individuals; and (vi) ensure that no third party or customer of the business entity is authorized to access or acquire sensitive personally identifiable information without the business entity first performing sufficient due
24 25
S 1897 IS
Frm 00030
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
31 1 2 3 4 5 6 7 8 9 10 11 12 diligence to ascertain, with reasonable certainty, that such information is being sought for a valid legal purpose; and (C) establish a plan and procedures for minimizing the amount of sensitive personally identifiable information maintained by such business entity, which shall provide for the retention of sensitive personally identifiable information only as reasonably needed for the business purposes of such business entity or as necessary to comply with any legal obligation. (b) TRAINING.Each business entity subject to this
13 subtitle shall take steps to ensure employee training and 14 supervision for implementation of the data security pro15 gram of the business entity. 16 17 18 19 20 21 22 23
(c) VULNERABILITY TESTING. (1) IN

GENERAL.Each
business entity subject
to this subtitle shall take steps to ensure regular testing of key controls, systems, and procedures of the personal data privacy and security program to detect, prevent, and respond to attacks or intrusions, or other system failures. (2) FREQUENCY.The frequency and nature of the tests required under paragraph (1) shall be de-
24
S 1897 IS
32 1 2 3 termined by the risk assessment of the business entity under subsection (a)(3). (d) RELATIONSHIP
TO
CERTAIN PROVIDERS
OF
4 SERVICES.In the event a business entity subject to this 5 subtitle engages a person or entity not subject to this sub6 title (other than a service provider) to receive sensitive 7 personally identifiable information in performing services 8 or functions (other than the services or functions provided 9 by a service provider) on behalf of and under the instruc10 tion of such business entity, such business entity shall 11 12 13 14 15 16 17 18 19 20 21 22 23
(1) exercise appropriate due diligence in selecting the person or entity for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain a person or entity that is capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and (2) require the person or entity by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing entities subject to section 201, this section, and subtitle B. (e) PERIODIC ASSESSMENT
AND AND
24
PERSONAL DATA
25 PRIVACY
S 1897 IS
VerDate Mar 15 2010 23:00 Jan 08, 2014 Jkt 039200
SECURITY MODERNIZATION.Each busi-
PO 00000
Frm 00032
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
33 1 ness entity subject to this subtitle shall on a regular basis 2 monitor, evaluate, and adjust, as appropriate its data pri3 vacy and security program in light of any relevant changes 4 in 5 6 7 8 9 10 11 12 13 14 15 16 17 18 (1) technology; (2) the sensitivity of personally identifiable information; (3) internal or external threats to personally identifiable information; and (4) the changing business arrangements of the business entity, such as (A) mergers and acquisitions; (B) alliances and joint ventures; (C) outsourcing arrangements; (D) bankruptcy; and (E) changes to sensitive personally identifiable information systems. (f) IMPLEMENTATION TIMELINE.Not later than 1
19 year after the date of enactment of this Act, a business 20 entity subject to the provisions of this subtitle shall imple21 ment a data privacy and security program pursuant to this 22 subtitle. 23
SEC. 203. ENFORCEMENT.
24
(a) CIVIL PENALTIES.
S 1897 IS
34 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(1) IN
GENERAL.Any
business entity that vio-
lates the provisions of section 201 or 202 shall be subject to civil penalties of not more than $5,000 per violation per day while such a violation exists, with a maximum of $500,000 per violation. (2) INTENTIONAL
OR WILLFUL VIOLATION.A
business entity that intentionally or willfully violates the provisions of section 201 or 202 shall be subject to additional penalties in the amount of $5,000 per violation per day while such a violation exists, with a maximum of an additional $500,000 per violation. (3) PENALTY (A) IN
LIMITS. GENERAL.Notwithstanding
any
other provision of law, the total sum of civil penalties assessed against a business entity for all violations of the provisions of this subtitle resulting from the same or related acts or omissions shall not exceed $500,000, unless such conduct is found to be willful or intentional. (B) DETERMINATIONS.The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provi-
24 25
S 1897 IS
35 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 sion of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. (C) ADDITIONAL
PENALTY LIMIT.If
court determines under subparagraph (B) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $500,000. (4) EQUITABLE
RELIEF.A
business entity en-
gaged in interstate commerce that violates this section may be enjoined from further violations by a United States district court. (5) OTHER
RIGHTS AND REMEDIES.The
rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law. (b) FEDERAL TRADE COMMISSION AUTHORITY.
20 Any business entity shall have the provisions of this sub21 title enforced against it by the Federal Trade Commission. 22 23
(c) STATE ENFORCEMENT. (1) CIVIL

ACTIONS.In
any case in which the
24 25
attorney general of a State or any State or local law enforcement agency authorized by the State attorney
S 1897 IS
36 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the acts or practices of a business entity that violate this subtitle, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction to (A) enjoin that act or practice; (B) enforce compliance with this subtitle; or (C) obtain civil penalties of not more than $5,000 per violation per day while such violations persist, up to a maximum of $500,000 per violation. (2) PENALTY (A) IN
LIMITS. GENERAL.Notwithstanding
any
other provision of law, the total sum of civil penalties assessed against a business entity for all violations of the provisions of this subtitle resulting from the same or related acts or omissions shall not exceed $500,000, unless such conduct is found to be willful or intentional. (B) DETERMINATIONS.The determination of whether a violation of a provision of this
24 25
S 1897 IS
37 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. (C) ADDITIONAL
PENALTY LIMIT.If
court determines under subparagraph (B) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $500,000. (3) NOTICE. (A) IN
GENERAL.Before
filing an action
under this subsection, the attorney general of the State involved shall provide to the Federal Trade Commission (i) a written notice of that action; and (ii) a copy of the complaint for that action. (B) EXCEPTION.Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this
24 25
S 1897 IS
38 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action. (C) NOTIFICATION
WHEN PRACTICABLE.
In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Federal Trade Commission as soon after the filing of the complaint as practicable. (4) FEDERAL
ITY.Upon TRADE COMMISSION AUTHOR-
receiving notice under paragraph (2),
the Federal Trade Commission shall have the right to (A) move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4); (B) intervene in an action brought under paragraph (1); and (C) file petitions for appeal. (5) PENDING
PROCEEDINGS.If
the Federal
Trade Commission initiates a Federal civil action for a violation of this subtitle, or any regulations thereunder, no attorney general of a State may bring an action for a violation of this subtitle that resulted
24 25
S 1897 IS
39 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
from the same or related acts or omissions against a defendant named in the Federal civil action initiated by the Federal Trade Commission. (6) RULE
OF CONSTRUCTION.For
purposes of
bringing any civil action under paragraph (1) nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to (A) conduct investigations; (B) administer oaths and affirmations; or (C) compel the attendance of witnesses or the production of documentary and other evidence. (7) VENUE;
SERVICE OF PROCESS.
(A) VENUE.Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code. (B) SERVICE
OF PROCESS.In
an action
brought under this subsection, process may be served in any district in which the defendant (i) is an inhabitant; or (ii) may be found.
24 25
S 1897 IS
Frm 00039
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
40 1 (d) NO PRIVATE CAUSE

OF
ACTION.Nothing in
2 this subtitle establishes a private cause of action against 3 a business entity for violation of any provision of this sub4 title. 5 6
SEC. 204. RELATION TO OTHER LAWS.
(a) IN GENERAL.No State may require any busi-
7 ness entity subject to this subtitle to comply with any re8 quirements with respect to administrative, technical, and 9 physical safeguards for the protection of personal informa10 tion. 11 (b) LIMITATIONS.Nothing in this subtitle shall be
12 construed to modify, limit, or supersede the operation of 13 the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) or 14 its implementing regulations, including those adopted or 15 enforced by States. 16 17 18 19
Subtitle BSecurity Breach Notification

SEC. 211. NOTICE TO INDIVIDUALS.
(a) IN GENERAL.Except as provided in section 212,
20 any agency, or business entity engaged in interstate com21 merce, other than a service provider, that uses, accesses, 22 transmits, stores, disposes of or collects sensitive person23 ally identifiable information shall, following the discovery
24 of a security breach of such information, notify any resi25 dent of the United States whose sensitive personally idenS 1897 IS
41 1 tifiable information has been, or is reasonably believed to 2 have been, accessed, or acquired. 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(b) OBLIGATION OF OWNER OR LICENSEE. (1) NOTICE

TO OWNER OR LICENSEE.Any
agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information. (2) NOTICE
BY OWNER, LICENSEE, OR OTHER
DESIGNATED THIRD PARTY.Nothing
in this sub-
title shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a). (3) BUSINESS
NOTICE.A ENTITY RELIEVED FROM GIVING
business entity obligated to give notice
under subsection (a) shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security
24 25
S 1897 IS
42 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
breach, or other designated third party, provides such notification. (4) SERVICE
PROVIDERS.If
a service provider
becomes aware of a security breach of data in electronic form containing sensitive personal information that is owned or possessed by another business entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall be required to notify the business entity who initiated such connection, transmission, routing, or storage of the security breach if the business entity can be reasonably identified. Upon receiving such notification from a service provider, the business entity shall be required to provide the notification required under subsection (a). (c) TIMELINESS OF NOTIFICATION. (1) IN
GENERAL.All
notifications required
under this section shall be made without unreasonable delay following the discovery by the agency or business entity of a security breach. (2) REASONABLE (A) IN
DELAY.
24 25
GENERAL.Reasonable
delay under
this subsection may include any time necessary
S 1897 IS
43 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment described in section 202(a)(3), and restore the reasonable integrity of the data system and provide notice to law enforcement when required. (B) EXTENSION. (i) IN
GENERAL.Except
as provided
in subsection (d), delay of notification shall not exceed 60 days following the discovery of the security breach, unless the business entity or agency requests an extension of time and the Federal Trade Commission determines in writing that additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, or to provide notice to the designated entity. (ii) APPROVAL
OF REQUEST.If
the
Federal Trade Commission approves the request for delay, the agency or business entity may delay the time period for notifi-
24
S 1897 IS
44 1 2 3 4 5 6 7 8 9 10 11 cation for additional periods of up to 30 days. (3) BURDEN

OF PRODUCTION.The
agency,
business entity, owner, or licensee required to provide notice under this subtitle shall, upon the request of the Attorney General or the Federal Trade Commission provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification. (d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW
12 ENFORCEMENT OR NATIONAL SECURITY PURPOSES. 13 14 15 16 17 18 19 20 21 22 23

(1) IN
GENERAL.If
the United States Secret
Service or the Federal Bureau of Investigation determines that the notification required under this section would impede a criminal investigation, or national security activity, such notification shall be delayed upon written notice from the United States Secret Service or the Federal Bureau of Investigation to the agency or business entity that experienced the breach. The notification from the United States Secret Service or the Federal Bureau of Investigation shall specify in writing the period of delay requested for law enforcement or national security purposes.
24 25
S 1897 IS
45 1 2 3 4 5 6 7 8 9 10 11 12 13 14 (2) EXTENDED
DELAY OF NOTIFICATION.If
the notification required under subsection (a) is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement or national security delay was invoked unless a Federal law enforcement or intelligence agency provides written notification that further delay is necessary. (3) LAW
ENFORCEMENT IMMUNITY.No
non-
constitutional cause of action shall lie in any court against any agency for acts relating to the delay of notification for law enforcement or national security purposes under this subtitle. (e) LIMITATIONS.Notwithstanding any other obli-
15 gation under this subtitle, this subtitle does not apply to 16 the following: 17 18 19 20 21 22 23
(1) FINANCIAL tutions
INSTITUTIONS.Financial
insti-
(A) subject to the data security requirements and standards under section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C.
6801(b)); and (B) subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)).
24 25
S 1897 IS
46 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(2) HIPAA
REGULATED ENTITIES. ENTITIES.Covered
(A) COVERED
entities
subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.), including the data security requirements and implementing regulations of that Act. (B) BUSINESS
ENTITIES.A
business enti-
ty shall be deemed in compliance with this Act if the business entity (i)(I) is acting as a covered entity and as a business associate, as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.) and is in compliance with the requirements imposed under that Act and implementing regulations promulgated under that Act; and (II) is subject to, and currently in compliance, with the data breach notification, privacy and data security requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act, (42 U.S.C. 17932) and implementing thereunder; or regulations promulgated
24 25
S 1897 IS
Frm 00046
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
47 1 2 3 4 5 6 7 8 9 10 (ii) is acting as a vendor of personal health records and third party service provider, subject to the Health Information Technology for Economic and Clinical Health (HITECH) Act (42 U.S.C. 17937), including the data breach notification requirements and implementing regulations of that Act.
SEC. 212. EXEMPTIONS.
(a) EXEMPTION
FOR
NATIONAL SECURITY
AND
LAW
11 ENFORCEMENT. 12 13 14 15 16 17 18 19 20 21 22 23
(1) IN
GENERAL.Section
211 shall not apply
to an agency or business entity if (A) the United States Secret Service or the Federal Bureau of Investigation determines that notification of the security breach could be expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement investigations; or (B) the Federal Bureau of Investigation determines that notification of the security breach could be expected to cause damage to the national security.
24
S 1897 IS
48 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(2) IMMUNITY.No non-constitutional cause of action shall lie in any court against any Federal agency for acts relating to the exemption from notification for law enforcement or national security purposes under this title. (b) SAFE HARBOR. (1) IN
GENERAL.An
agency or business entity
shall be exempt from the notice requirements under section 211, if (A) a risk assessment conducted by the agency or business entity concludes that, based upon the information available, there is no significant risk that a security breach has resulted in, or will result in, identity theft, economic loss or harm, or physical harm to the individuals whose sensitive personally identifiable information was subject to the security breach; (B) without unreasonable delay, but not later than 45 days after the discovery of a security breach, unless extended by the Federal Trade Commission, the agency or business entity notifies the Federal Trade Commission, in writing, of (i) the results of the risk assessment; and
24 25
S 1897 IS
Frm 00048
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
49 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(ii) its decision to invoke the risk assessment exemption; and (C) the Federal Trade Commission does not indicate, in writing, within 10 business days from receipt of the decision, that notice should be given. (2) REBUTTABLE
PRESUMPTIONS.For
pur-
poses of paragraph (1) (A) the encryption of sensitive personally identifiable information described in paragraph (1)(A)(i) shall establish a rebuttable presumption that no significant risk exists; and (B) the rendering of sensitive personally identifiable information described in paragraph (1)(A)(ii) unusable, unreadable, or indecipherable through data security technology or methodology that is generally accepted by experts in the field of information security, such as redaction or access controls shall establish a rebuttable presumption that no significant risk exists. (3) VIOLATION.It shall be a violation of this section to (A) fail to conduct the risk assessment in a reasonable manner, or according to standards
24
S 1897 IS
50 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
generally accepted by experts in the field of information security; or (B) submit the results of a risk assessment that contains fraudulent or deliberately misleading information. (c) FINANCIAL FRAUD PREVENTION EXEMPTION. (1) IN
GENERAL.A
business entity will be ex-
empt from the notice requirement under section 211 if the business entity utilizes or participates in a security program that (A) effectively blocks the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and (B) provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions. (2) LIMITATION.The exemption in paragraph (1) does not apply if the information subject to the security breach includes an individuals first and last name, or any other type of sensitive personally identifiable information as defined in section 3, unless that information is only a credit card number or credit card security code.
24 25
S 1897 IS
51 1 2
SEC. 213. METHODS OF NOTICE.
An agency or business entity shall be in compliance
3 with section 211 if it provides the following: 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

(1) INDIVIDUAL
NOTICE.Notice
to individuals
by one of the following means: (A) Written notification to the last known home mailing address of the individual in the records of the agency or business entity. (B) Telephone notice to the individual personally. (C) E-mail notice, if the individual has consented to receive such notice and the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001). (2) MEDIA
NOTICE.Notice
to major media
outlets serving a State or jurisdiction, if the number of residents of such State whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000.
SEC. 214. CONTENT OF NOTIFICATION.
24
(a) IN GENERAL.Regardless of the method by
25 which notice is provided to individuals under section 213, 26 such notice shall include, to the extent possible
S 1897 IS
52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 (1) a description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person; (2) a toll-free number (A) that the individual may use to contact the agency or business entity, or the agent of the agency or business entity; and (B) from which the individual may learn what types of sensitive personally identifiable information the agency or business entity maintained about that individual; and (3) the toll-free contact telephone numbers and addresses for the major credit reporting agencies. (b) ADDITIONAL CONTENT.Notwithstanding sec-
16 tion 219, a State may require that a notice under sub17 section (a) shall also include information regarding victim 18 protection assistance provided for by that State. 19 (c) DIRECT BUSINESS RELATIONSHIP.Regardless
20 of whether a business entity, agency, or a designated third 21 party provides the notice required pursuant to section 22 211(b), such notice shall include the name of the business 23 entity or agency that has a direct relationship with the
24 individual being notified.
S 1897 IS
53 1 2 3
SEC. 215. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.
If an agency or business entity is required to provide
4 notification to more than 5,000 individuals under section 5 211(a), the agency or business entity shall also notify all 6 consumer reporting agencies that compile and maintain 7 files on consumers on a nationwide basis (as defined in 8 section 603(p) of the Fair Credit Reporting Act (15 9 U.S.C. 1681a(p))) of the timing and distribution of the 10 notices. Such notice shall be given to the consumer credit 11 reporting agencies without unreasonable delay and, if it 12 will not delay notice to the affected individuals, prior to 13 the distribution of notices to the affected individuals. 14 15 16 17 18 19 20 21 22 23
SEC. 216. NOTICE TO LAW ENFORCEMENT.
(a) DESIGNATION
CEIVE
OF
GOVERNMENT ENTITY TO RE-
NOTICE. (1) IN
GENERAL.Not
later than 60 days after
the date of enactment of this Act, the Secretary of Homeland Security shall designate a Federal Government entity to receive the notices required under section 212 and this section, and any other reports and information about information security incidents, threats, and vulnerabilities. (2) RESPONSIBILITIES
ENTITY.The OF THE DESIGNATED
24 25
designated entity shall
S 1897 IS
54 1 2 3 4 5 6 7 8 9 10 11 (A) be responsible for promptly providing the information that it receives to the United States Secret Service and the Federal Bureau of Investigation, and to the Federal Trade Commission for civil law enforcement purposes; and (B) provide the information described in subparagraph (A) as appropriate to other Federal agencies for law enforcement, national security, or data security purposes. (b) NOTICE.Any business entity or agency shall no-
12 tify the designated entity of the fact that a security breach 13 has occurred if 14 15 16 17 18 19 20 21 22 23
(1) the number of individuals whose sensitive personally identifying information was, or is reasonably believed to have been accessed or acquired by an unauthorized person exceeds 5,000; (2) the security breach involves a database, networked or integrated databases, or other data system containing the sensitive personally identifiable information of more than 500,000 individuals nationwide; (3) the security breach involves databases owned by the Federal Government; or
24
S 1897 IS
55 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(4) the security breach involves primarily sensitive personally identifiable information of individuals known to the agency or business entity to be employees and contractors of the Federal Government involved in national security or law enforcement. (c) FTC RULEMAKING
OLDS. AND
REVIEW
OF
THRESH-
(1) REPORTS.Not later than 1 year after the date of the enactment of this Act, the Federal Trade Commission, in consultation with the Attorney General of the United States and the Secretary of Homeland Security, shall promulgate regulations under section 553 of title 5, United States Code, regarding the reports required under subsection (a). (2) THRESHOLDS
FOR NOTICE.The
Federal
Trade Commission, in consultation with the Attorney General and the Secretary of Homeland Security, after notice and the opportunity for public comment, and in a manner consistent with this section, shall promulgate regulations, as necessary, under section 553 of title 5, United States Code, to adjust the thresholds for notice to law enforcement and national security authorities under subsection (a) and to facilitate the purposes of this section.
24 25
S 1897 IS
56 1 (d) TIMING.The notice required under subsection
2 (a) shall be provided as promptly as possible, but such 3 notice must be provided either 72 hours before notice is 4 provided to an individual pursuant to section 211, or not 5 later than 10 days after the business entity or agency dis6 covers the security breach or discovers that the nature of 7 the security breach requires notice to law enforcement 8 under this section, whichever occurs first. 9 10
SEC. 217. ENFORCEMENT.
(a) IN GENERAL.The Attorney General and the
11 Federal Trade Commission may enforce civil violations of 12 section 211. 13 14 15 16 17 18 19 20 21 22 23

(b) CIVIL ACTIONS

THE
BY THE
ATTORNEY GENERAL
OF
UNITED STATES. (1) IN

GENERAL.The
Attorney General may
bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $11,000 per day per security breach. (2) PENALTY
LIMITATION.Notwithstanding
24 25
any other provision of law, the total amount of the civil penalty assessed against a business entity for
S 1897 IS
57 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
conduct involving the same or related acts or omissions that results in a violation of this subtitle may not exceed $1,000,000. (3) DETERMINATIONS.The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. (4) ADDITIONAL
PENALTY LIMIT.If
a court
determines under paragraph (3) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $1,000,000. (c) INJUNCTIVE ACTIONS
ERAL. BY THE
ATTORNEY GEN-
(1) IN
GENERAL.If
it appears that a business
entity has engaged, or is engaged, in any act or practice constituting a violation of this subtitle, the Attorney General may petition an appropriate district court of the United States for an order
24 25
S 1897 IS
58 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(A) enjoining such act or practice; or (B) enforcing compliance with this subtitle. (2) ISSUANCE
OF ORDER.A
court may issue
an order under paragraph (1), if the court finds that the conduct in question constitutes a violation of this subtitle. (d) CIVIL ACTIONS
MISSION. BY THE
FEDERAL TRADE COM-
(1) IN
GENERAL.Compliance
with the require-
ments imposed under this subtitle may be enforced under the Federal Trade Commission Act (15 U.S.C. 41 et seq.) by the Federal Trade Commission with respect to business entities subject to this Act. All of the functions and powers of the Federal Trade Commission under the Federal Trade Commission Act are available to the Commission to enforce compliance by any person with the requirements imposed under this title. (2) PENALTY (A) IN
LIMITATION. GENERAL.Notwithstanding
any
other provision of law, the total sum of civil penalties assessed against a business entity for all violations of the provisions of this subtitle resulting from the same or related acts or omis-
24
S 1897 IS
59 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
sions may not exceed $1,000,000, unless such conduct is found to be willful or intentional. (B) DETERMINATIONS.The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. (C) ADDITIONAL
PENALTY LIMIT.If
court determines under subparagraph (B) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $1,000,000. (3) UNFAIR
TICES.For OR DECEPTIVE ACTS OR PRAC-
the purpose of the exercise by the Fed-
eral Trade Commission of its functions and powers under the Federal Trade Commission Act, a violation of any requirement or prohibition imposed under this title shall constitute an unfair or deceptive act or practice in commerce in violation of a
24 25
S 1897 IS
60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(I)(B)) regarding unfair or deceptive acts or practices and shall be subject to enforcement by the Federal Trade Commission under that Act with respect to any business entity, irrespective of whether that business entity is engaged in commerce or meets any other jurisdictional tests in the Federal Trade Commission Act. (e) COORDINATION OF ENFORCEMENT. (1) IN
GENERAL.Before
opening an investiga-
tion, the Federal Trade Commission shall consult with the Attorney General. (2) LIMITATION.The Federal Trade Commission may initiate investigations under this subsection unless the Attorney General determines that such an investigation would impede an ongoing criminal investigation or national security activity. (3) COORDINATION (A) IN
AGREEMENT.
GENERAL.In
order to avoid con-
flicts and promote consistency regarding the enforcement and litigation of matters under this Act, not later than 180 days after the enactment of this Act, the Attorney General and the Federal Trade Commission shall enter into an
24 25
S 1897 IS
61 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 agreement for coordination regarding the enforcement of this Act. (B) REQUIREMENT.The coordination
agreement entered into under subparagraph (A) shall include provisions to ensure that parallel investigations and proceedings under this section are conducted in a matter that avoids conflicts and does not impede the ability of the Attorney General to prosecute violations of Federal criminal laws. (4) COORDINATION
WITH THE FCC.If
an en-
forcement action under this Act relates to customer proprietary network information, the Federal Trade Commission shall coordinate the enforcement action with the Federal Communications Commission. (f) RULEMAKING.The Federal Trade Commission
17 may, in consultation with the Attorney General, issue such 18 other regulations as it determines to be necessary to carry 19 out this subtitle. All regulations promulgated under this 20 Act shall be issued in accordance with section 553 of title 21 5, United States Code. Where regulations relate to cus22 tomer proprietary network information, the promulgation 23 of such regulations will be coordinated with the Federal
24 Communications Commission.
S 1897 IS
62 1 (g) OTHER RIGHTS AND REMEDIES.The rights and
2 remedies available under this subtitle are cumulative and 3 shall not affect any other rights and remedies available 4 under law. 5 (h) FRAUD ALERT.Section 605A(b)(1) of the Fair
6 Credit Reporting Act (15 U.S.C. 1681c1(b)(1)) is 7 amended by inserting , or evidence that the consumer 8 has received notice that the consumers financial informa9 tion has or may have been compromised, after identity 10 theft report. 11 12 13 14 15 16 17 18 19 20 21 22 23
SEC. 218. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) IN GENERAL. (1) CIVIL

ACTIONS.In
any case in which the
attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of a business entity in a practice that is prohibited under this subtitle, the State or the State or local law enforcement agency on behalf of the residents of the agencys jurisdiction, may bring a civil action on behalf of the residents of the State or ju-
24
S 1897 IS
63 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
risdiction in a district court of the United States of appropriate jurisdiction to (A) enjoin that practice; (B) enforce compliance with this subtitle; or (C) civil penalties of not more than $11,000 per day per security breach up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional. (2) PENALTY (A) IN
LIMITATION. GENERAL.Notwithstanding
any
other provision of law, the total sum of civil penalties assessed against a business entity for all violations of the provisions of this subtitle resulting from the same or related acts or omissions may not exceed $1,000,000, unless such conduct is found to be willful or intentional. (B) DETERMINATIONS.The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional,
24 25
S 1897 IS
64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. (C) ADDITIONAL
PENALTY LIMIT.If
court determines under subparagraph (B) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $1,000,000. (3) NOTICE. (A) IN
GENERAL.Before
filing an action
under paragraph (1), the attorney general of the State involved shall provide to the Attorney General of the United States (i) written notice of the action; and (ii) a copy of the complaint for the action. (B) EXEMPTION. (i) IN
GENERAL.Subparagraph
(A)
shall not apply with respect to the filing of an action by an attorney general of a State under this subtitle, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.
24 25
S 1897 IS
Frm 00064
Fmt 6652
Sfmt 6201
E:\BILLS\S1897.IS
S1897
65 1 2 3 4 5 6 7 (ii) NOTIFICATION.In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the time the State attorney general files the action. (b) FEDERAL PROCEEDINGS.Upon receiving notice
8 under subsection (a)(2), the Attorney General shall have 9 the right to 10 11 12 13 14 15 16 17 18 19 20 (1) move to stay the action, pending the final disposition of a pending Federal proceeding or action; (2) initiate an action in the appropriate United States district court under section 217 and move to consolidate all pending actions, including State actions, in such court; (3) intervene in an action brought under subsection (a)(2); and (4) file petitions for appeal. (c) PENDING PROCEEDINGS.If the Attorney Gen-
21 eral or the Federal Trade Commission initiate a criminal 22 proceeding or civil action for a violation of a provision of 23 this subtitle, or any regulations thereunder, no attorney
24 general of a State may bring an action for a violation of
S 1897 IS
66 1 a provision of this subtitle against a defendant named in 2 the Federal criminal proceeding or civil action. 3 (d) CONSTRUCTION.For purposes of bringing any
4 civil action under subsection (a), nothing in this subtitle 5 regarding notification shall be construed to prevent an at6 torney general of a State from exercising the powers con7 ferred on such attorney general by the laws of that State 8 to 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(1) conduct investigations; (2) administer oaths or affirmations; or (3) compel the attendance of witnesses or the production of documentary and other evidence. (e) VENUE; SERVICE OF PROCESS. (1) VENUE.Any action brought under subsection (a) may be brought in (A) the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or (B) another court of competent jurisdiction. (2) SERVICE
OF PROCESS.In
an action
brought under subsection (a), process may be served in any district in which the defendant (A) is an inhabitant; or
24 25
S 1897 IS
67 1 2 (B) may be found. (f) NO PRIVATE CAUSE OF ACTION.Nothing in this
3 subtitle establishes a private cause of action against a 4 business entity for violation of any provision of this sub5 title. 6 7
SEC. 219. EFFECT ON FEDERAL AND STATE LAW.
For any entity, or agency that is subject to this sub-
8 title, the provisions of this subtitle shall supersede any 9 other provision of Federal law, or any provisions of the 10 law of any State, relating to notification of a security 11 breach, except as provided in section 214(b). Nothing in 12 this subtitle shall be construed to modify, limit, or super13 sede the operation of the Gramm-Leach-Bliley Act (15 14 U.S.C. 6801 et seq.) or its implementing regulations, in15 cluding those regulations adopted or enforced by States, 16 the Health Insurance Portability and Accountability Act 17 of 1996 (42 U.S.C. 1301 et seq.) or its implementing reg18 ulations, or the Health Information Technology for Eco19 nomic and Clinical Health Act (42 U.S.C. 17937) or its 20 implementing regulations. 21 22
SEC. 220. REPORTING ON EXEMPTIONS.
(a) FTC REPORT.Not later than 18 months after
23 the date of enactment of this Act, and upon request by

24 Congress thereafter, the Federal Trade Commission shall 25 submit a report to Congress on the number and nature
S 1897 IS
68 1 of the security breaches described in the notices filed by 2 those business entities invoking the risk assessment ex3 emption under section 212(b) and their response to such 4 notices. 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 (b) LAW ENFORCEMENT REPORT. (1) IN
GENERAL.Not
later than 18 months
after the date of enactment of this Act, and upon the request by Congress thereafter, the United States Secret Service and Federal Bureau of Investigation shall submit a report to Congress on the number and nature of security breaches subject to the national security and law enforcement exemptions under section 212(a). (2) REQUIREMENT.The report required under paragraph (1) shall not include the contents of any risk assessment provided to the United States Secret Service and the Federal Bureau of Investigation under this subtitle.
SEC. 221. EFFECTIVE DATE.
This subtitle shall take effect on the expiration of the
21 date which is 90 days after the date of enactment of this 22 Act.
S 1897 IS
69 1 2 3 4
TITLE IIICOMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

SEC. 301. BUDGET COMPLIANCE.
The budgetary effects of this Act, for the purpose of
5 complying with the Statutory Pay-As-You-Go Act of 2010, 6 shall be determined by reference to the latest statement 7 titled Budgetary Effects of PAYGO Legislation for this 8 Act, submitted for printing in the Congressional Record 9 by the Chairman of the Senate Budget Committee, pro10 vided that such statement has been submitted prior to the 11 vote on passage.
S 1897 IS

Data Breach Bill 2014 - Leahy S. 1897

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Data Breach Bill 2014 - Leahy S. 1897

Diunggah oleh

Hak Cipta:

Format Tersedia

II

113TH CONGRESS 2D SESSION

IN THE SENATE OF THE UNITED STATES

2 tives of the United States of America in Congress assembled, 3 4

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

(a) SHORT TITLE.This Act may be cited as the

5 Personal Data Privacy and Security Act of 2014. 6 (b) TABLE

CONTENTS.The table of contents of

7 this Act is as follows:

VerDate Mar 15 2010

23:00 Jan 08, 2014

SYSTEM COMMUNICATION INFORMA-

term data system communication in-

term personally identifiable informa-

the United States, a State, or a political subdivision of a State. (11) SENSITIVE

term sensitive personally identi-

Section 1961(1) of title 18, United States Code, is

(a) IN GENERAL.Chapter 47 of title 18, United

21 States Code, is amended by adding at the end the fol22 lowing:

tkelley on DSK3SPTVN1PROD with BILLS

11 1 1041. Concealment of security breaches involving 2 3 4

(a) IN GENERAL.Whoever, having knowledge of a

23 The table of sections for chapter 47 of title 18, United

24 States Code, is amended by adding at the end the fol25 lowing:

(c) ENFORCEMENT AUTHORITY. (1) IN

United States Secret

Section 1030(c) of title 18, United States Code, is

15 (a) or (b) of this section is 16 17 18 19 20 21 22

Section 1030(a) of title 18, United States Code, is

17 amended by striking paragraph (6) and inserting the fol18 lowing: 19 20 21 22 23

Section 1030(b) of title 18, United States Code, is

8 amended by inserting for the completed offense after 9 punished as provided. 10 11 12 13

Section 1030 of title 18, United States Code, is

Section 1030(g) of title 18, United States Code, is

24 cess to the protected computer is unauthorized, or in ex25 cess of authorization..

Section 1030 of title 18, United States Code, is

tkelley on DSK3SPTVN1PROD with BILLS

(a) IN GENERAL.Chapter 47 of title 18, United

17 any other provision of law 18 19 20 21 22 23

1030A. Aggravated damage to a critical infrastructure computer..

Section 1030(e)(6) of title 18, United States Code,

(a) PURPOSE.The purpose of this subtitle is to en-

23 interstate commerce that involves collecting, accessing,

(1) FINANCIAL tutions

ty shall be deemed in compliance with this Act if the business entity

records not oth-

erwise subject to a confidentiality or nondisclosure requirement, or information obtained from a public

business entity shall be

(a) PERSONAL DATA PRIVACY

business entity subject to this subtitle shall

(3) RISK shall

business entity shall

(c) VULNERABILITY TESTING. (1) IN

business entity subject

SECURITY MODERNIZATION.Each busi-

SEC. 203. ENFORCEMENT.

(a) CIVIL PENALTIES.

business entity that vio-

business entity en-

(c) STATE ENFORCEMENT. (1) CIVIL

any case in which the

receiving notice under paragraph (2),

40 1 (d) NO PRIVATE CAUSE